https://live.paloaltonetworks.com/t5/globalprotect-discussions/cert-profile-and-saml-to-azure-with-gp-gateway-machine-cert/m-p/334378#M223 <P>Is it possible to use a Certificate Profile to verify a machine on your GP Gateway, all while using SAML authentication to Azure?&nbsp; SAML to our Azure instance works great for us now, but does the firewall use the certificate profile only as a 'pre-logon' user, or initial challenge, and then still send the user to azure to complete SAML authentication?&nbsp; &nbsp; &nbsp;Considering using certificates to verify machines, but still want to use SAML.&nbsp; &nbsp;We have Azure joined machines and thinking they have a certificate on them somewhere with a CA we could utilize. Looking to Add device authentication from an Azure joined/trusted machine, and still use SAML for users.&nbsp; &nbsp;</P> Fri, 19 Jun 2020 19:58:37 GMT Sec101 2020-06-19T19:58:37Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/cert-profile-and-saml-to-azure-with-gp-gateway-machine-cert/m-p/334378#M223 <P>Is it possible to use a Certificate Profile to verify a machine on your GP Gateway, all while using SAML authentication to Azure?&nbsp; SAML to our Azure instance works great for us now, but does the firewall use the certificate profile only as a 'pre-logon' user, or initial challenge, and then still send the user to azure to complete SAML authentication?&nbsp; &nbsp; &nbsp;Considering using certificates to verify machines, but still want to use SAML.&nbsp; &nbsp;We have Azure joined machines and thinking they have a certificate on them somewhere with a CA we could utilize. Looking to Add device authentication from an Azure joined/trusted machine, and still use SAML for users.&nbsp; &nbsp;</P> Fri, 19 Jun 2020 19:58:37 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/cert-profile-and-saml-to-azure-with-gp-gateway-machine-cert/m-p/334378#M223 Sec101 2020-06-19T19:58:37Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/cert-profile-and-saml-to-azure-with-gp-gateway-machine-cert/m-p/335405#M240 <P>Yes, this is perfectly possible.&nbsp; We do this w/ our SAML authentication.&nbsp; If you add a certificate profile under your-GP-portal (or gateway) &gt; Authentication &gt; Certificate Profile, any client that connects to that portal/gateway will need a cert signed by that CA.&nbsp; You can still use SAML authentication for the user.&nbsp; From the documentation:<BR /><BR /></P><TABLE><TBODY><TR><TD><DIV class="Table_Cell">Certificate Profile</DIV></TD><TD><DIV class="Table_Cell">(<SPAN class="Teletype">Optional</SPAN>) Select the<SPAN>&nbsp;</SPAN><SPAN class="uicontrol">Certificate Profile</SPAN><SPAN>&nbsp;</SPAN>the gateway uses to match those client certificates that come from user endpoints. With a Certificate Profile, the gateway authenticates the user only if the certificate from the client matches this profile.</DIV><DIV class="Table_Cell">If you set the<SPAN>&nbsp;</SPAN><SPAN class="uicontrol">Allow Authentication with User Credentials OR Client Certificate</SPAN><SPAN>&nbsp;</SPAN>option to<SPAN>&nbsp;</SPAN><SPAN class="uicontrol">No</SPAN>, you must select a<SPAN>&nbsp;</SPAN><SPAN class="uicontrol">Certificate Profile</SPAN>. If you set the<SPAN>&nbsp;</SPAN><SPAN class="uicontrol">Allow Authentication with User Credentials OR Client Certificate</SPAN><SPAN>&nbsp;</SPAN>option to<SPAN>&nbsp;</SPAN><SPAN class="uicontrol">Yes</SPAN>, the<SPAN>&nbsp;</SPAN><SPAN class="uicontrol">Certificate Profile</SPAN><SPAN>&nbsp;</SPAN>is optional.</DIV><DIV class="Table_Cell">The certificate profile is independent of the OS.</DIV></TD></TR></TBODY></TABLE><P><BR /><BR /></P> Thu, 25 Jun 2020 18:47:48 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/cert-profile-and-saml-to-azure-with-gp-gateway-machine-cert/m-p/335405#M240 OwenFuller 2020-06-25T18:47:48Z